Sales of Personal Data on Consumer Credit Reports Draw Scrutiny

The Consumer Financial Protection Bureau’s plan to restrict the sale of personal details that top consumer credit reports is pitting privacy advocates who want to shield such information against business groups who say there are legitimate reasons for sharing it.

The agency’s interest in what’s known as “credit header” data is part of a broader effort to crack down on data brokers that gather and sell information about consumers and their finances, often without their knowledge. Much of today’s data broker market runs on personally identifying information taken from credit reports compiled by Equifax Inc., Experian Plc, and TransUnion, the three largest credit reporting companies, according to CFPB Director Rohit Chopra.

Consumer advocates who pushed for new data protections cheered Chopra’s Tuesday announcement of a planned rulemaking under the Fair Credit Reporting Act, known as FCRA. The upcoming proposal would limit the use of personal information to certain purposes, like applications for credit or employment, as opposed to selling data for advertising or other reasons.

Businesses argue, however, that maintaining access to consumers’ information is necessary to defend against fraud and identity theft.

Diverging views over the law’s coverage are likely to fuel intense scrutiny of the rulemaking effort. An earlier agency inquiry into the business practices of data brokers garnered thousands of public comments in response.

One of the challenges facing the CFPB as it writes new rules is how to define data brokers, according to Jennifer Chien, senior policy counsel on Consumer Reports’ team focused on financial fairness.

“It’s a very opaque industry,” Chien said.

Consumer advocates say the upcoming CFPB rulemaking likely will seek to apply the FCRA to additional businesses such as LexisNexis Risk Solutions Inc., a part of RELX Group Plc that collects information including real estate transaction and ownership data, bankruptcy records, and historical addresses.

The agency also intends to clarify when data such as a person’s name and address counts as a “consumer report” under the 1970 law, subjecting it to usage boundaries and granting consumers rights over their data, according to a fact sheet from the CFPB. Applying the credit reporting law to this kind of identifying information could expose companies that handle such data to potential regulatory enforcement actions and private lawsuits from consumers.

Consumer Concerns

Credit header information generally includes details such as a consumer’s name, address, phone number, and Social Security number. It also can include data such as their current and prior employers, mother’s maiden name, and age or date of birth.

Such information isn’t currently considered a consumer report under credit reporting law, even if the information originated in the files of a business like Equifax, Experian, or TransUnion.

Records from the top three credit reporting firms are especially valuable to data brokers because they can be used to “triangulate” pieces of information about a particular person from different sources, said Laura Rivera, senior staff attorney with Just Futures Law, a nonprofit focused on immigration law.

“It’s like a key that opens the door to verifying flows of information,” Rivera said. “That’s how they begin to build a mosaic of information that’s really comprehensive.”

Consumer advocates including the National Consumer Law Center and Consumer Reports have urged the CFPB to protect identifying information connected to credit reports because it can reveal sensitive insights. The lack of a Social Security number, for example, could be used to infer someone’s immigration status.

Cable, phone, and power service providers typically query a consumer’s credit history during account setup to check if the person is likely to pay bills on time. US Immigration and Customs Enforcement was found to have purchased information such as utility customer records from data brokers to assist with deportation proceedings.

Latinx organization Mijente was among the groups that pushed the CFPB to close what consumer advocates call the credit header data “loophole” that allows for the sale of personal information.

“We’re eager to see what kind of impact it can have in protecting people’s really sensitive information,” Jacinta González, a senior campaign organizer with Mijente, said of the agency’s rulemaking.

Establishing FCRA coverage for brokers that “traffic in” data used for credit or employment decisions, like criminal records, is important, according to Chi Chi Wu, a senior attorney at the National Consumer Law Center focusing on credit issues. Doing so would add accuracy requirements and give consumers the ability to dispute and correct any errors, such as mix-ups among people with the same name that can lead to issues with government benefits, Wu said.

“That’s one of the most important reasons to cover information that databases sell under the Fair Credit Reporting Act,” she said.

Business Pushback

Fraud prevention firms cautioned that applying credit reporting protections to credit header data would make it harder to stop scammers and would put consumers at risk.

“Data management companies help protect consumers from fraud and identity theft and make countless everyday transactions safe and seamless,” Dan Smith, the president and CEO of the Consumer Data Industry Association, said in a statement. The association represents consumer credit reporting companies.

LexisNexis Risk Solutions says it uses the basic identifying information in credit headers to find fraudulent transactions.

For example, the company—which counts the top 50 US banks among its clients—says that its fraud model might discover that a scammer is using the same pilfered Social Security number to file 10 different credit applications, but with 10 different home addresses linked to the number, according to a letter LexisNexis Risk Solutions submitted to the CFPB in July.

“These fraud models are effective and helpful to individual consumers, businesses, and government agencies because they find connections between data points that are not necessarily related,” the letter said. Subjecting credit headers to the FCRA would make its tools less effective because the data would be less accessible, LexisNexis Risk Solutions said.

LexisNexis Risk Solutions and other firms would still be able to use credit header data to prevent fraud in credit card, mortgage, and other loan applications as well as housing and employment background checks if the CFPB determines such data is covered by the FCRA. But online retailers seeking to prevent fraudulent transactions would be barred from using the data because retail sales fraud prevention isn’t covered under the law, said Andrew Smith, the former director of the Federal Trade Commission’s Consumer Protection Bureau and now a partner at Covington & Burling LLP.

“Today, that retailer could obtain header and other ID to determine risk of fraud in an online transaction,” Smith said. Smith represented LexisNexis Risk Solutions in its letter to the CFPB, but was speaking in his own capacity and not on the company’s behalf.

Smaller financial institutions may be forced to cut back on their fraud checks if there are restrictions on using credit header data, the National Association of Federally-Insured Credit Unions said in a comment letter to the CFPB.

Federal privacy laws, including the Gramm-Leach-Bliley Act, and state laws allow the use of credit header data for fraud prevention efforts. Scott Talbott, executive vice president for government relations at the Electronic Transactions Association, said the CFPB should put such an exemption in any final rule for data brokers.

“It is important to allow entities to continue to use credit header data to fight fraud and identify individuals,” he said.

But because the FCRA doesn’t include fraud prevention outside of the credit, employment, or housing application context, it’s unclear whether the CFPB has the power to grant such an exemption, Smith said.

“They can’t write new stuff into the statute,” he said.

To contact the reporters on this story: Andrea Vittorio in Washington at avittorio@bloombergindustry.com; Evan Weinberger in New York at eweinberger@bloomberglaw.com

To contact the editors responsible for this story: Adam M. Taylor at ataylor@bloombergindustry.com; Michael Smallberg at msmallberg@bloombergindustry.com